From ArchWiki
Revision as of 19:54, 6 September 2017 by (talk | contribs) (simplification and beautification of wikilinks (interactive))
Jump to navigation Jump to search

This article describes how to set up a mail server suitable for personal or small office use.

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Developed by Timo Sirainen, Dovecot was first released in July 2002. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver. For more detailed information, please see the official Dovecot Wiki.


Install the dovecot package.



  • Each mail account served by Dovecot, has a local user account defined on the server.
  • The server uses PAM to authenticate the user against the local user database (/etc/passwd).
  • SSL is used to encrypt the authentication password.
  • The common Maildir format is used to store the mail in the user's home directory.
  • A MDA has already been set up to deliver mail to the local users.

Create the SSL certificate

The dovecot package contains a script to generate the server SSL certificate.

  • Copy the example configuration: # cp /usr/share/doc/dovecot/dovecot-openssl.cnf /etc/ssl/dovecot-openssl.cnf.
  • Edit /etc/ssl/dovecot-openssl.cnf to configure the certificate.
  • Execute # /usr/lib/dovecot/ to generate the certificate.

The certificate/key pair is created as /etc/ssl/certs/dovecot.pem and /etc/ssl/private/dovecot.pem.

Run cp /etc/ssl/certs/dovecot.pem /etc/ca-certificates/trust-source/anchors/dovecot.crt and then # trust extract-compat whenever you have changed your certificate.

Warning: If you plan on implementing SSL/TLS, please respond safely to POODLE and FREAK/Logjam by adding the following to your configuration in /etc/dovecot/conf.d/10-ssl.conf:
ssl_protocols = !SSLv3
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048

Dovecot configuration

  • Copy the dovecot.conf and conf.d/* configuration files from /usr/share/doc/dovecot/example-config to /etc/dovecot:
# cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot
# cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot

The default configuration is ok for most systems, but make sure to read through the configuration files to see what options are available. See the quick configuration guide and dovecot configuration for more instructions.

By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit /etc/dovecot/conf.d/10-mail.conf to set mail_location = maildir:~/Maildir.

PAM Authentication

  • To configure PAM for dovecot, create /etc/pam.d/dovecot with the following content:
auth    required nullok
account required 

PAM Authentication with LDAP

  • If you are using an OpenLDAP server for authentication instead, be sure to be able to login with your LDAP users first, as described in LDAP authentication.

You can then write the following in /etc/pam.d/dovecot remembering that the entries order is very important:

auth    sufficient
auth    required     nullok
account sufficient
account required
session required skel=/etc/skel umask=0022
session sufficient

In this way both LDAP and system users have their mailbox.

  • Edit /etc/dovecot/conf.d/auth-system.conf by changing the passdb directive, like this:
passdb {
  driver = pam
  args = session=yes dovecot

By using the module and by adding the session part in the passdb directive, if an LDAP user logs in for the first time the corresponding home directory will be automatically created.


Sieve is a programming language that can be used to create filters for email on mail server.

Sieve Interpreter Plugin

This facilitates the actual Sieve filtering upon delivery.

  • Install pigeonhole.
  • Depending on your usage, add sieve to mail_plugins in
    • /etc/dovecot/conf.d/15-lda.conf
      protocol lda {
        mail_plugins = $mail_plugins sieve
    • and/or /etc/dovecot/conf.d/20-lmtp.conf
      protocol lmtp {
        mail_plugins = $mail_plugins sieve
Note: Nowadays it is recommended to use LMTP instead of LDA. Nevertheless the Dovecot LDA can still be used for small mailservers. More information can be found in the Dovecot Wiki
  • Optionally, add configuration in plugin section. See Sieve Interpreter Documentation for configuration options and default values.
    Example: run cp /usr/share/doc/dovecot/example-config/conf.d/90-sieve.conf /etc/dovecot/conf.d/90-sieve.conf and verify in /etc/dovecot/conf.d/90-sieve.conf:
    plugin {
      sieve = file:~/sieve;active=~/.dovecot.sieve 
Note: Configuration files in /etc/dovecot/conf.d/ will not be read without a line in /etc/dovecot/dovecot.conf like !include /etc/dovecot/conf.d/*.conf. If you are following the Virtual user mail system guide, you may need to add this line.
Example: SpamAssassin - move spam to "Junk" folder
  • Add spamtest configuration
plugin {
  sieve_extensions = +spamtest +spamtestplus

  sieve_spamtest_status_type = score
  sieve_spamtest_status_header = \ 
    X-Spam_score: (-?[[:digit:]]+\.[[:digit:]]).* 
  sieve_spamtest_max_value = 5.0 

  sieve_before = /var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve

Note: This tests for "X-Spam_score" (which is the spam header format in default Exim configuration). Your header might look different, ie "X-Spam-Score".

  • Create sieve script: mkdir -p /var/lib/dovecot/sieve/global_sieves
require "spamtestplus";
require "fileinto";
require "relational";
require "comparator-i;ascii-numeric";

if spamtest :value "ge" :comparator "i;ascii-numeric" "5" {
  fileinto "Junk";
  • To compile sieve, execute in shell
    sievec /var/lib/dovecot/sieve/global_sieves
    and make sure the move_to_spam_folder.sieve and the resulting move_to_spam_folder.svbin files are world readable.

ManageSieve Server

This implements the ManageSieve protocol through which users can remotely manage Sieve scripts on the server.

  • Follow the steps in Sieve Interpreter Plugin above.
  • Add sieve to protocols in dovecot.conf
    protocols = imap pop3 sieve
  • Add minimal /etc/dovecot/conf.d/20-managesieve.conf
    service managesieve-login {
    service managesieve {
    protocol sieve {
  • Restart dovecot. The managesieve daemon will listen on port 4190 by default.

Starting the server

Use the standard systemd syntax to control the dovecot.service daemon.


Generate hashes with non-default hash functions.

doveadm pw -s SHA512-CRYPT -p "superpassword"

Remember to make sure that the column in the database is large enough(you might not get a warning..)

Remember to set the password scheme in your dovecot-sql.conf file

default_pass_scheme = SHA512-CRYPT